diff options
| author | Dries Buytaert <dries@buytaert.net> | 2003-07-09 21:48:13 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2003-07-09 21:48:13 +0000 |
| commit | ae4fe72d17ba4ab24172509f1219bea2f049835c (patch) | |
| tree | 70627a98d73ecbd3f36996f43c63ddae9a58ab5f /includes/common.inc | |
| parent | 1c9a5e9fb8fa93e99437fadf624e55d66647f4be (diff) | |
| download | brdo-ae4fe72d17ba4ab24172509f1219bea2f049835c.tar.gz brdo-ae4fe72d17ba4ab24172509f1219bea2f049835c.tar.bz2 | |
- Changed the XSS check a little to be slightly more forgiving wrt style
attributes.
Diffstat (limited to 'includes/common.inc')
| -rw-r--r-- | includes/common.inc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/includes/common.inc b/includes/common.inc index 87ab7640c..448cf5f09 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -484,8 +484,8 @@ function xss_check_input_data($data) { */ // check attributes: - $match = preg_match("/\W(style|dynsrc|datasrc|data|lowsrc|on[a-z]+)\s*=[^>]+?>/i", $data); - $match += preg_match("/\W(src|href)\s*=[\s'\"]*javascript[^>]+?>/i", $data); + $match = preg_match("/\W(dynsrc|datasrc|data|lowsrc|on[a-z]+)\s*=[^>]+?>/i", $data); + $match += preg_match("/\Wjavascript\s*:/i", $data); // check tags: $match += preg_match("/<\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data); |